This week’s Intego Mac podcast features a look back at the top security and privacy news of 2024.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, December 26, 2024. This week’s Intego Mac Podcast features a look back at the top security and privacy news of 2024. Now here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:29
Good morning, Josh, how are you?
Josh Long 0:31
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:32
I’m doing just fine. Merry Christmas.
Josh Long 0:35
Yeah, that’s right. We’re releasing this on the week of Christmas. You’re probably hearing this either on December 26 or sometime after that, if you’ve been busy for the holidays.
Kirk McElhearn 0:46
This is our special year end episode where we’re going to talk about Apple security and privacy in 2024 and you know, as I was drafting this article, looking at the number of issues that we’ve seen, the number of features, a number of vulnerabilities, scams and fake apps, and this part doesn’t even cover malware. But this was a really busy year, wasn’t it, Josh?
Josh Long 1:09
Yeah, we’ve got a whole bunch of different things that we can talk about here. We’re mostly focused really on specifically the security and privacy stories of as they relate to Apple. So there might be a few things in here that we’ll talk about briefly that maybe are not directly related to the Apple ecosystem, but that could potentially affect you if you are user of Apple products, so like, for example, scams and things like that.
Kirk McElhearn 1:34
Okay, so the first thing in the article is mid January, when Google patched its first zero day vulnerability of the year in Google Chrome. And this was it sort of rhymed throughout the year as they patched more and more. And so I’ll link to this article in the show notes. And each item we talk about has links to other articles on the Intego Mac security blog. The last one was Google Chrome browser patches ninth and 10th. Zero days of 2024, I don’t remember if there were any more after that, and we just didn’t make an article about it.
Josh Long 2:04
I think it’s just 10 as of when we’re recording this. Now, there is a possibility that maybe before the end of the year, they could have another zero day vulnerability that they patch. So we’ll have to see about that. Google does release new updates pretty frequently, and so there’s still that possibility, as we’re technically we’re recording this on the 18th, so we’re only like halfway through the month of December, so it could still happen.
Kirk McElhearn 2:29
And one thing to point out is this is restart your browser day when you listen to this podcast, because if you don’t restart your browser, Google Chrome will not apply its update, and now the Google Chrome updates apply to a number of browsers that use the Chromium engine, which include edge and brave and Vivaldi and opera, and also electron apps. So read the link to an article called chromium vulnerability threaten electron app security in the security and privacy overview, to look at how much of an issue this is, it kind of makes me think of Flash Player updates that we used to get all the time. Now it’s true that Flash Player updates were almost weekly. And so if Google does have 10 zero days that it patches in a year, that’s not bad. But of course, there were other vulnerabilities in Chrome that weren’t zero days, right?
Josh Long 3:13
As a matter of fact, again, Google is constantly patching its browsers and so this is really, really important that you keep your browsers up to date. Other apps that also use the Chromium engine. So these include things, by the way, these are the electron apps that Kirk was talking about. They include things like one password, the password manager app, Discord, Dropbox, Slack is a really common one that a lot of people use for messaging. A lot of companies use that for internal messaging. So there’s a whole bunch of these apps on this list, so check that out and make sure that you keep all of your apps up to date.
Kirk McElhearn 3:50
Okay, 2024 was the year of email invoice scams and this sort of scam started rearing its head in 2023 but it reached critical mass in 2024 and we have received so many examples of this, even going to just a few days ago, when there’s been a new PayPal invoice scam in January, we talk about a Fake Geek Squad invoice scam. So the Geek Squad is what this is like, an extended warranty you can get in Best Buy. And these scam emails are sent from legitimate servers so they can evade spam filters. They all talk about subscription you’ve bought, or a purchase you made, and oh, if you have any problem, well, here’s a number to call. And when you call the number and you talk to the scammers, they try to trick you into installing malware on your computer, getting access to your data, your accounts, and maybe even stealing money from your bank account. So ignore all these scams. But please read some of these articles, because there are very many scams like this going around these days. Okay. Other news in January was Apple released a new feature in Iowa 17.3 called stolen device protection for iPhone. We have an article on Intego Mac security blog explaining that it was the 40th anniversary of the Apple McIntyre. Just a computer that changed everything. Now I didn’t have one. The first Mac I ever worked on was, what was the was it the Macintosh SE, the one that was the same shape, but more powerful. This was around 1990 and in January, Apple patched their first in the wild vulnerability, of which there were several during the year.
Josh Long 5:20
Yeah, 40 years is it was a big year for the Macintosh. We haven’t really seen a lot of really major changes to the Mac product line in the last few years. We did get a MAC studio, which I guess kind of is sort of a new product, but it’s very similar to the Mac mini and kind of the the standalone desktop Macs that we’ve had in the past, like the towers, the Mac Pro, things like that. But yeah, Macs are still going strong after 40 years. We have seen a lot of these in the wild, vulnerabilities that Apple has patched throughout the year. So January already had one of these. Apple calls them exploited vulnerabilities, or it seems like now and now that we’re at the end of the year, they’ve started going back to calling them actively exploited again. But these are vulnerabilities that have actually been in the wild, according to reports that Apple has received. And so when these things happen, they’re really urgent to make sure to get them patched, because, first of all, somebody’s already using those vulnerabilities against people in real world attacks, and it’s also pretty likely that other people will start to use those same vulnerabilities, because really, anytime Apple patches any vulnerability, it can be reverse engineered, meaning the bad guys can look at exactly how Apple patched something and kind of work backwards and figure out what the vulnerability was, so then they can exploit it in the future.
Kirk McElhearn 6:47
Okay, in February, we started talking about a number of fake apps, or fake Last Pass Password Manager, fake crypto apps and Apples App Stores. We’re not going to spend any time on this now, because when Josh does his malware review, we’ll be talking more about fake apps. Fake apps are quite a scourge these days. Apple’s App Store app review has a lot of gaps now. March was an interesting period because the European Union’s digital markets act took effect, and this is what forced Apple to allow third party app stores on the iPhone, potentially the iPad soon. But this changed an awful lot. It allowed third party app stores. It presented users with a dialog of the number of web browsers they could choose from to choose their default web browser. It allowed access to the NFC chip for contactless payments in the EU. Now this is EU only. You can read the article that’s linked from this article to learn more about it. The fact that Apple has implemented all this in the EU means that they already have this ready if other countries impose this, and it’s not unlikely this is going to happen, maybe even next year.
Josh Long 7:50
There’s definitely a lot of interest in this from people in other countries, including the US. Epic Games has its own store that is only available in the EU right now, with its own games. So that’s one example of the types of things that people in the US are really going to start wanting more of and just can’t get right now, because Apple’s waiting on being forced to do that by legislation.
Kirk McElhearn 8:17
Okay, in April, there was an interesting story where Apple sent emails to users in some 92 countries warning them that they had been targeted by mercenary spyware attacks. This is attacks using spyware such as Pegasus. These were generally individuals who were targeted. This isn’t your usual scam email or phishing email, and this actually raised an interesting question of how you can tell whether these notifications or emails from Apple are legitimate. So we took a close look at that to show you how Apple security awards look via text, phone, email, how to spot fakes and when Apple would contact you, because they’re not really going to contact many people for this sort of thing. So if you did get an email from Apple, we discuss how you can verify that that was indeed from Apple late in April. And this affected me too. A large number of Apple users discovered that their Apple ID accounts were locked and needed to reset their passwords. This was a really weird story, though. What happened, and we never really understood exactly what was going on, but we do link to an article we published about mysterious Apple ID password resets, what we know and how to protect your account. Now, we’ve been avoiding going over every Apple operating system update, because there were, I don’t know, more than a half a dozen during the year, some of them with lots of fixes, and the one in May had dozens of security fixes. And we again, we have links to articles about each one of these. It’s hard to say whether there’s a lot of security updates because Apple’s not doing good, or there’s a lot of security updates because Apple is keeping their eye on the ball and finding vulnerabilities.
Josh Long 9:53
What I would argue is that Apple actually could be patching more frequently, because what Apple does, or has a tendency to do throughout this year is they’ve released patches at an interval of like probably no more often than about every six weeks. And that’s really not a lot of patches when you know, for example, Microsoft releases like clockwork. Every second Tuesday of the month is Patch Tuesday. For Microsoft and some other companies like Adobe also tend to follow that same patch cycle. Apple doesn’t have a specific time when they’re going to be releasing updates, which you could argue is good or bad, right? If they’re releasing as often as there are at the very least zero day vulnerabilities, like in the wild exploited vulnerabilities, then that would be great. But the thing is, Apple has had a tendency to wait a little bit longer in between patches. And so when you get these security updates from Apple, sometimes they include a ton of things, all being patched at once. And I do feel like Apple could do a better job of releasing updates more frequently to patch some of these known vulnerabilities throughout the year. So there’s definitely a case to be made that Apple is maybe doing a good job, but there’s also a case to be made that maybe they could be doing better.
Kirk McElhearn 11:18
Okay, in May, there was an interesting story where some users discovered, quote, unquote, sensitive photos that they had deleted, that Reaper in their Photos Library. Some users claim to even have photos that they had never taken, as if they had purchased devices from Apple that somehow had photos on them. This was never really cleared up. Apple fixed this, saying it was a rare issue where photos that experience database corruption could reappear in the Photos Library even if they were deleted, but photos can’t experience database corruption. Photos are photos, and it’s not clear. I think this was a big tempest in a teapot for about a week, and then Apple released an update, and then no one talked about it.
Josh Long 11:58
Since then, there were a lot of fears that if you had resold your device or given it to somebody else, that they might get your pictures somehow popping up in their Photos Library. And what probably really was the case was that the Photos Library was corrupt. That’s the database probably that Apple was talking about here, and very likely, what was really going on, because there were so few and far between reports about this, it seems like probably what happened is that some people forgot that maybe a friend had sent them a picture at some point, they downloaded it to their photo library from messages, And maybe they had deleted it and forgot that they had ever downloaded it in the past, and now, when it became visible again after an operating system update that sort of found these corrupt pictures from a database and resurfaced them, what happened, it seems like, is that People were like, Oh my gosh. Like, that’s a picture of my friend. I don’t remember ever having that in my Photos Library, and now all of a sudden it’s there. And people were getting concerned about that. So I think it was probably much ado about nothing. We still never really got the full explanation, but that’s what we do know about it, and I don’t think it was as big of a deal as everyone made it out to be.
Kirk McElhearn 13:20
Okay, we’re gonna take a break. When we come back, we’re gonna talk about the second half of the year.
Voice Over 13:26
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:36
Okay, in June, we did an analysis of some porn blackmail emails that have been sent out now you get this email. It says that someone has hacked your camera on your computer or your phone, and they talk about Pegasus malware, which is not something that you know, average hackers would have, and they made some videos of you looking at porn and doing things. And you don’t want these videos to be shared and send us. Bitcoin, and then we’ll not make this footage public. Interestingly, I receive, I’d say, one of these a week still. Now they’re not going away. The latest ones actually have my address in them, so that means that my name and address have been in some sort of a data breach. We did a close forensic analysis of this email, and the emails are generally all the same, and we explain why they’re bogus. And they’re bogus.
Josh Long 15:24
Right. There have actually been very similar scams going on for many years now where people claim that they’ve hacked into your webcam. And so we’ve actually had some much older articles on the Mac security blog talking about similar scams. What’s interesting now is that they’re making it more personal by including information about you, like, for example, your real name and maybe even your home address, like Kirk was talking about there. So these things really tend to incite fear, and when you get that emotional response of suddenly, you know, being presented with information that’s real about you that makes people scared and more likely to act irrationally and believe this scam. So something to be aware of if you do get something like this in an email, whether it says it’s a porn blackmail kind of thing or not, be skeptical about it, because chances are this is somebody trying to scare you into believing whatever it is that they’re claiming, and it’s probably just a scam. They probably got your information from some database leak.
Kirk McElhearn 16:32
Okay, so June was also Apple’s worldwide developer conference where they presented their new operating systems, which we now have, iOS 18, iPadOS 18 and macOS Sequoia. We did a quick overview of the top five security and privacy features in these operating systems. We’ve got more articles on the Intego Mac security vlog about the various new security and privacy features. There are some interesting ones, but there’s, of course, AI Apple Intelligence. We’re not going to talk about that in this episode because we talked a lot about it in the last episode.
Josh Long 17:02
And just a quick overview of the five that we highlighted security and privacy features, Apple introduced a passwords app which kind of replaces the iCloud key chain. And on iPhone and iPad in particular, you used to have to go into the Settings app to find your passwords. Now there’s a separate passwords app which is really convenient. You can now lock and hide apps and unlock them using face ID or touch ID if you have an older model, like, for example, an iPhone SE second or third generation that use Touch ID still. There’s also contacts permission improvements, so now you can choose individual contacts that you want an app such as Skype or TikTok to have access to. There’s now improved privacy and security settings. Private Cloud Compute was one of the things that Apple announced, along with Apple Intelligence, and this is something that is just starting to become a thing as new Apple Intelligence features are rolling out. But the whole idea behind this is that Apple has its own auditable cloud where they’re handling some of these offloaded AI tasks. So Apple has actually done a good thing here, I think, in that sense of being more transparent and also being open to security researchers.
Kirk McElhearn 18:12
Let’s move on. This is one of your hobby horses here that you’ve been following for a long time about Apple leaving critical vulnerabilities unpatched. And these are mostly open source elements within macOS that are the sort of Unix underpinning of macOS. And some of these are years out of date. And I don’t know how many times we’ve talked about this on the podcast. You’re on a crusade about this.
Josh Long 18:35
Yeah, and in fact, so these articles that I had written previously were about macOS Sonoma still including these, sometimes years out of date, important pieces of software that are part of the operating system or come bundled with the operating system, and well, in macOS Sequoia, which came out in September, we still have the exact same situation with pretty much all the same things still not being fully patched. And I don’t know what else to say about this. We talk about this all the time, but it is a real problem, and something that Apple needs to address at some point. And unless you know, reporters start to pay attention to my hand waving over here. You know, I don’t know that Apple is really ever going to do anything about it.
Kirk McElhearn 19:18
Okay. Something else we discussed in August was the risk of Chrome extension vulnerability. So if you use the Chrome browser, which had 10 zero day vulnerabilities in the year, extensions also have vulnerabilities, and a large number of these extensions are released and never updated. And you may be using extension that’s years old, that has a code library with known vulnerabilities, that has all sorts of security holes. It can allow people to get in through your browser and steal everything.
Josh Long 19:43
Yes, I thought this was a really fascinating report. I highly recommend reading the original report that will, that will link to in this article, and it’s, it’s so fascinating to see. Not it’s, we’re not just talking about malicious Chrome extensions or. Even what we’ve also seen in the past is legitimate extensions that get bought by some supposed company that’s actually just a malware maker that’s wanting to buy up some popular extension so they can recraft it to do malicious things. But this is also talking about vulnerabilities that exist in, for example, outdated frameworks that they used when they were building these extensions. And so this is why, as a general rule, I highly recommend that you don’t use any third party browser extensions. If you can avoid it. You know, if you’re going to use an extension, use maybe a particular trusted ad blocking extension in your chromium based browsers, I really like you block origin. It comes from a developer that I know is not going to sell out and that I know knows security really well, but there’s not a whole lot of other extensions that I really trust and recommend to people.
Kirk McElhearn 20:55
Okay. September was when Apple released their new operating system. So iOS 18, iPad, macOS Sequoia, watchOS, 11, tvOS, whatever, HomePod, etc, etc, etc. We talked about the key security and privacy features back in June, and here we have specific articles about how to use Apple’s passwords app, how to lock and hide apps on the iPhone and the iPad. And at the same time, we have an article about what Apple patched with these major updates and what they didn’t, because they don’t always fix everything.
Josh Long 21:26
And as usual, when macOS Sequoia came out, there were a bunch of vulnerabilities that only got patched for macOS Sequoia. You’ll notice that in any time the Apple releases a major new operating system, they’ll also release some patches for the two previous macOS versions and usually for the one previous iOS version. But there’s a lot of things that don’t get patched for the previous operating systems and only get patched for the current operating system. This is why we always talk on the podcast about the importance of making sure that you’re on the very latest macOS or iOS or iPadOS version, whatever it might be. Don’t ever leave it behind on a previous version of the operating system. If you have an older Mac that Apple doesn’t support for the latest version of the of macOS, you can usually use a third party tool to upgrade it anyway. Of course, this is not supported by Apple, but there is a third party patcher that we talk about on the Mac security blog as well.
Kirk McElhearn 22:27
Okay, in November, we published an extensive article on the Intego Mac security blog entitled, is this link safe? How to check safely without clicking on it? We’ve talked about phishing, we’ve talked about scam emails. We’ve talked about these invoice scams. All of these scams are designed to make you click links. The link takes you to a website. You log in, and then you’re hooked into the thing we go through in this article explaining how domains work and sub domains, what the dots or the hyphens mean in URLs, how to display URLs like you can hover your cursor. You can hover your cursor over a link on Mac, you can tap and hold a link on iPhone or iPad. We talk about domains that are secure with HTTPS. We talk about extra words in a domain name to make it seem like it’s a legitimate domain, and if cameras have stuck some extra words in like secure files Dropbox to make you think it’s a link to Dropbox. This is a really important article to read, because you are going to get scam emails. You’re going to get lots of scam emails. You’re going to get them every week, every month, no matter what your email address is out there. So take a look at this article and learn how to be safe before you click links. Okay, in December, following up on that, we talked about a rash of fake package delivery messages. And these could come via SMS, but sometimes they come over I message. Now we all get these messages when we’re expecting packages. At least I do. There are certain carriers that always send text messages saying delivery between this time and that time. Click this link to track your driver. A couple of the courier services do that here. The problem is that these are fake and well, what do you know these links are phishing links?
Josh Long 24:08
Companies will legitimately sometimes send text messages or emails that are similar to this. So the question is, how can you tell the difference between the fake ones and the real ones? And we go through very similar to what Kirk was just talking about, the kind of the differences between, like a hyphen and a slash in a web address. Because often you’ll get these text messages, they might even come over I message, like Kirk mentioned there that that’s kind of interesting, isn’t it? Because you you might assume, if you happen to notice that it says I message at the top that you know, you might think, well, if this actually came over like Apple’s network, then maybe Apple did something to sort of vet this person and make sure that it really is the carrier. But it’s not carriers, at least all the ones that I’ve seen any legitimate text message. Is they usually do come over SMS. So this was kind of a surprise to see I message being used in the scam. But these things can come in an email as well. So just like Kirk was talking about with the How to know if a link is safe to click on, you know, hover over it if you’re on a Mac and you can see the address. And if you’re if you’re on an iOS device, if you want to, you can tap and hold on that. Now you do have to be a little careful about that, because there are certain circumstances where that might actually start to load the page, rather than just give you a preview of what the URL is going to be. So I do recommend being a little bit careful about that, because it depends on, I think, what what app you’re using there, or there might be some settings related to that, but, but just be a little careful about that. Err on the side of caution, I would say. And if you’re just not sure, there are a couple things you can do. You can ask an expert. You can take a screenshot and send it to somebody that you know, who knows how to more easily identify these types of scams. Or when in doubt, just don’t click on it. And the thing that I recommend doing is, for any really important sites, like your banking website or your Apple account, bookmark those pages in your browser and always go to that bookmark. Don’t ever google it, because there’s often poison Google ads that look like legitimate ads, and that will appear at the top of the search results. And so you’ve got to be really careful about googling things too. So bookmark any important sites and go to those bookmarks to log into your account and see if you have any special alert. And that’s the best way, I think, to tell whether some of these messages are real or not.
Kirk McElhearn 26:40
Now I’m trying to remember, I’m pretty sure that when I order things from Apple here, I get delivery notifications from Apple via iMessage, and I’ll often get two notifications, one from Apple saying your package is going to be delivered, and another from say ups, saying we’ll be delivering at this time. So they do come from iMessage. So I would suggest you be very careful if it looks like it’s coming from Apple, to make sure it really is like did you really order something? Are you really expecting something the day you get it?
Josh Long 27:08
Now, the message from your carrier that will probably come over SMS, but when Apple actually sends you a notification, they’ll do it via iMessage, and it’ll have a special badge next to it, and if you tap on that little badge. It’ll show you that it’s verified, meaning that this is a legitimate business that has registered itself with Apple. And so that’s a good way to know whether a message from Apple is really from Apple.
Kirk McElhearn 27:33
That’s actually a new feature that just rolled out in the past couple months. We’re going to talk about that at some point in the new year. I think that’s enough for now. This has been a busy year. There’s been a lot of stuff going on around Apple security and privacy. Josh, Happy New Year and stay secure, and I’ll see you next year.
Unknown Speaker 27:48
All right, stay secure.
Voice Over 27:52
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us in Apple Podcasts or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
